2015-01-28 - AD TRAFFIC FROM LAX1.IB.ADNXS.COM KICKS OFF CHAIN OF EVENTS TO ANGLER EK

PCAP AND MALWARE:

 

SUMMARY

Since 2015-01-27, I've seen two examples ad traffic from lax1.ib.adnxs.com that generated a chain of events for the Angler exploit kit (EK).  In the chain of events, both examples show an HTTP POST to 216.246.41.184 return HTML pointing to the Angler EK landing page.

 

NOTE:  I haven't been able to recreate the chain of events, and I don't have a pcap to share.

 

TRAFFIC DETAILS

DATE/TIME:  2015-01-27 23:11 UTC

ASSOCIATED DOMAINS:

TRAFFIC:

 

DATE/TIME:  2015-01-28 16:22 UTC

ASSOCIATED DOMAINS:

TRAFFIC:

 

SCREENSHOTS FROM 2015-01-27

Malicious script from djs-media.com.  Note the variable marked near the bottom of the image:


The full script above is available in this blog entry's zip file.

 

HTTP POST to domain on 216.246.41.184 returns HTML directing the host to an Angler EK landing page:

 

Angler EK landing page:

 

SCREENSHOTS FROM 2015-01-28

Malicious script from online-marketing-maven.com.  Note the variable marked near the bottom of the image:


The full script above is available in this blog entry's zip file.

 

HTTP POST to domain on 216.246.41.184 returns HTML directing the host to an Angler EK landing page:

 

Angler EK landing page:

 

Angler EK sends Flash exploit:


No further traffic...  The host was running the most current version of Flash, and the exploit was not successful.

 

FINAL NOTES

Once again, here's the ZIP file of the artifacts from this traffic:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.